CVE-2025-59428: EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows
Summary
EspoCRM (a customer relationship management application) versions before 9.1.9 have a vulnerability that lets attackers create new user accounts, including admin accounts, by combining stored SVG injection (hiding malicious code in image files) with lack of CSRF protection (missing checks to verify requests are legitimate). An attacker with editing permissions can embed a malicious link in a Knowledge Base article that, when clicked by an authenticated user, tricks their browser into creating an attacker-controlled account with chosen privileges.
Solution / Mitigation
Update to EspoCRM version 9.1.9 or later, where this issue has been patched.
Vulnerability Details
5.4(medium)
EPSS: 0.0%
Classification
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-59428
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 95%